Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
81828384858687888990
If IPFilter is not enabled, enable it by entering the following command:
ipfilter -e
Load the rulesets after enabling IPFilter. See “Loading IPv4 Filter Rules” (page 34),
On all HP-UX versions, verify that HP-UX IPFilter is running by entering the following
command:
ipf -V
The running field should say yes. If it says no, then the HP-UX IPFilter module has not
been loaded. It might have been explicitly unloaded.
To load IPFilter again, use:
/sbin/init.d/ipfboot start
To determine if the HP-UX IPFilter DLKM modules are loaded, execute either the
kmadmin(1M) command on HP-UX 11i v1 or the kcmodule (1M) command on HP-UX 11i
v2 and HP-UX 11i v3. See the respective manpages for more information.
Load the rules and check again that IPFilter works. If it still does not work, reboot the system
and check /etc/rc.log and /var/adm/syslog/syslog.log for errors.
The host does not seem to be on the network and ping messages do not go through.
Check the rules you have configured using ipfstat -io. This command will display the
active inbound and outbound rules.
NOTE: If you are using /etc/opt/ipf/ipf.conf as your rules file, then IPFilter will
load it at boot time. The IPFilter startup script /sbin/init.d/ipfboot:
Loads the IPFilter module.
Starts the logging daemon, ipmon.
Loads any uncommented rules in the /etc/opt/ipf/ipf.conf file.
Loads any uncommented rules in the /etc/opt/ipf/ipf6.conf if IPv6 is enabled
on the system.
If your rules file blocks packets for network services that last effective rule amounts to “block
in all,” the boot sequence might not complete, for example, when sendmail, SNMP, and NIS
are configured on the system.
Nothing is logged.
Verify the following:
ipf -V should show the logging file as available.
ps -ef|grep ipmonto verify if ipmon is running. During bootup, ipmon is started. If it
is not running, start it by using:
ipmon -s D
The -s option specifies that the log records go to /var/adm/syslog/syslog.log and
the -D option directs ipmon to run as a daemon in the background.
Errors occur when loading rules.
# ipf -f rule_file
ioctl (add/insert rule); File Exists
This occurs when you try to add a rule that is already loaded. Use the following command
to load rules:
ipf -Fa -f rulefile
The -Fa option will flush any previous rules present and all rules will be reloaded.
82 Troubleshooting HP-UX IPFilter